One year on from the Facebook data breach -- what has changed? [Q&A]
One year ago this week Facebook suffered a massive data breach that prompted the company to reset access for around 90 million accounts.
A year on from this event what has been done to make users' data more secure and are people becoming more aware of the risks to their privacy from using social networks and other sites? We spoke to Fouad Khalil VP of compliance at SecurityScorecard to discuss these things and more.
BN: What has Facebook done in the last year to stop a similar breach happening?
FK: I've yet to see anything that made me say, "Ah-ha, they're heading in the right direction." There has been no public communication of any kind that indicates they are exercising diligence to stop this from happening again. We're also seeing that Facebook's revenue is increasing, it's expanding into other areas, it’s making statements that its privacy controls are protecting our personal data, but I have nothing in hand that confirms that.
BN: We've seen a raft of new and proposed privacy legislation appearing, has any of that made a difference?
FK: The privacy tidal wave is hitting the globe. HIPAA in the US is the father of most privacy law, then GDPR came along and California privacy was effectively the GDPR for America and other states are acting too -- though disappointingly New York didn't pass its law. The big question is are organizations ready and can they claim they are compliant? That's the biggest unknown at this point. I see regulation continuing to grow but I hope we stop issuing policies, procedures and guidelines and instead exercise ways to ensure organizations are complying and help them get there. Rather than use a legislative hammer maybe give them a ladder instead.
BN: Isn't part of the problem that consumers don't actually know if companies are complying with regulations?
FK: I completely agree, even if you ask the question you'll get a confirmation that everything is taken care of, but how do you prove that? Facebook is an example of data being everywhere, I would love to see some evidence that they have full oversight into personal data, private data, where it's located, how they control it, how they protect it and how they ensure it gets deleted on request. In my opinion it’s probably an impossible task for an organization like Facebook because if it had built its privacy and security programs on a good foundation it wouldn’t have had the breach in the first place.
BN: Is there a need for some kind of official audit process allowing companies to become verified?
FK: An audit outcome is only as good as the auditor. An audit may not cut it, I think organizations have to step up and show evidence that they are addressing consumer interests and concerns, it should be in the nature of doing business. They need to take it on themselves and give consumers the trust and comfort that their data is protected.
BN: Are consumers becoming more aware of the problem?
FK: They're definitely more aware, but have they actually changed the way they conduct transactions because of recent breaches? I doubt it. Has the usage of Facebook dropped? Not at all, revenue and direction is still upward. Being aware is one thing but actually taking action to ensure that organizations are taking appropriate actions to protect information is another. Reliance on industry bodies, regulators and laws to take care of the problem isn’t going to solve things.
BN: How great is the paradox between giving away data and getting personalized services?
FK: Capital One and British Airways had breaches but people are still using credit cards and taking flights, business as usual hasn't changed. Protecting data should be part of doing business. Security by design is what GDPR calls it, what I'd like to propose is 'continuous oversight', what you did yesterday may have changed today. When it comes to cloud solutions you have to establish ways to continuously monitor what’s happening.
People need to be more aware of the risks they run, when they check their bank account over public Wi-Fi for example. If I'm a malicious actor all I have to do is sit in a restaurant in the mall and pick up on all that clear text transmission. We have a long way to go in educating consumers and making sure they have tools to protect their information without needing to be tech savvy enough to do it themselves.
BN: What can be done to promote greater awareness?
FK: At SecurityScorecard we create ratings for businesses and websites. What I'd like to see is, just like you go to a restaurant and it has a hygiene rating from the city as to how clean it is, so when you visit an online bank you should be able to see if they have a good security score so you'll feel happier about doing business with them. There have to be ways to establish baselines and standards that we as consumers can rely on. We use credit scores to get a loan, why shouldn't that work the other way when we're choosing who to deal with -- show me you have a good security score and maybe I'll give you my custom.
BN: How far away are we from a culture where you can be sure of being safe online?
FK: That's the million dollar question. I think we're quite a long way off unfortunately, I wish I could say differently. There are forecasts that we're looking at an economic dip in 2020, typically when those things happen crime and cyber threats increase. If an organization has not implemented continuous oversight they are never going to keep up.